Indeed this is pretty bad. The vast majority of developers do not update their f... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		moralestapia 20 days ago \| parent \| context \| favorite \| on: RCE Vulnerability in React and Next.js Indeed this is pretty bad. The vast majority of developers do not update their frameworks to the latest version so this is something that will linger on for years. Particularly if you're on Next something-like-12 and there's breaking changes in order to go to 16 + patch. OTOH this is great news for bad actors and pentesters.

danabramov 20 days ago [–]

This doesn't affect Next 12. Every single minor version of Next that's affected has a patch in the corresponding minor release cycle: https://nextjs.org/blog/CVE-2025-66478#fixed-versions

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact